Old Trojan Remains Effective

Friday, October 18, 2013 @ 11:10 AM gHale

A cybercriminal campaign is using the information stealing Trojan Nemim to gather data from the United States and Japan along with India and the United Kingdom.

The Trojan Nemim has been around since as early as the fall of 2006 and has been mainly used to steal account credentials for applications such as Internet Explorer, Firefox, Chrome, Outlook, Windows Mail, Gmail Notifier, Google Talk, MSN Messenger and Google Desktop, said researchers at Symantec.

The threat has three components: an infector, a downloader and an information stealer. The infector is not sophisticated . It simply decrypts, drops and runs an embedded executable file that represents the downloader component.

The downloader acts as a wrapper for an encrypted executable which is loaded dynamically after decryption. This executable holds the actual downloader functionality responsible for retrieving the information stealer component.

However, before this function triggers, several pieces of information end up taken from the infected computer, including computer name, username, CPU name, OS version, number of USB devices, IP address and MAC address. The information ends up encrypted and sent back to a command and control (C&C) server .

Researchers have identified several similarities between Nemim and another Trojan called Egobot, including the code injection technique, the C&C communication format, encryption, and the way information ends up stolen.

In addition, a timer mechanism that commands the threats to delete themselves at a certain date is in both attacks.